The explosive growth of online cybercrime in the last two decades has set modern IT departments an almost impossible challenge.

At the start of this era, security was largely about access control, packet and protocol filtering using firewalls, and data confidentiality from the comfort of a fixed, predictable perimeter. These days, application development, the arrival of the cloud, and the extension of networks to serve mobile devices and remote access, mean that this perimeter model has started to show troubling cracks.

• The attack surface – vulnerable devices, servers, applications, and the volume of data – has grown dramatically. To cope, more and more security layers have been added to protect it, each with its own job. This has multiplied the complexity of network and security management severalfold.
• Maintaining this infrastructure has become capital intensive, consuming budgets that grow with every passing year to meet the challenge of new threats.
• The demand for expertise and experience has outgrown the available supply, creating a skills shortage estimated to be around 3.5 million unfilled posts by 2021, more than three times the figure for 2014.

One response to these problems has been the growth in managed security service providers (MSSPs), third parties which take on some of the security workload, for example threat processing and alerting. For organizations that fear being overwhelmed with the burden of constant equipment upgrades to fight novel threats, this has important advantages but, depending on the services offered by each MSSP, is not always a perfect solution for every enterprise.

Managed detection and response (MDR)

A fundamental limitation of some MSSP services is that while they detect attacks and issue alerts, they don’t always respond to them with enough depth, a task that is passed to the inhouse IT department. In other cases, the level of detection offered might not include sophisticated event correlation. 

Increasingly, however, MSSPs are upping the ante by offering a comprehensive suite of detection and response capabilities packed under the heading of managed detection and response (MDR). This takes the service principle of MSSP security but adds a range of more advanced capabilities to that mix, including:

• More advanced threat detection. Unlike an inhouse IT department, an MSSP offering MDR draws on experience of a wide range of attacks, including complex ones such as advanced persistent threats (APTs) which can only be spotted using sophisticated threat intelligence analysis.
• Accredited Security Operations Center (SoC/SoC-as-a-Service) capability, important in some sectors for regulatory and compliance reasons. This frees up inhouse IT teams to carry out day-to-day support and management.
• Access to the sort of cybersecurity skills which would be difficult for organizations to hire for inhouse IT departments.
• The ability to perform monitoring and analysis of specialized networks such as OT, IoT, SCADA, and smart cities, which have hitherto been difficult to protect. Ditto, cloud environments such as PaaS, IaaS, and even SaaS.
• Advanced endpoint protection and response (EDR), which has become critical at a time when large numbers of employees work remotely or from home.
• The ability to test defences by simulating cyberattacks in a controlled way.

Computer security incident response team (CSIRT) support is a capability with increasing appeal, through which MDR SoCs react to the attacks they’ve detected in real time. This is complex undertaking often provided as initial threat triage, containment, and incident resolution. Post -incident forensics is becoming a major tool used to understand how a threat penetrated an organization’s network in the first place.

What makes one MDR different from another?

MDR services are built on an integrated platform built from a suite of cybersecurity elements such as security information and event management (SIEM), the industry MITRE ATT&CK framework, and high-throughput event correlation. Unfortunately, assessing MDR is always about numerous smaller details, including response times, the nature of event logging (and how long these are kept), the geographical coverage of SoCs, and the access to specific types of expertise.

Conclusion: The new IT department

In principle, buying an MDR service is like hiring a third-party Security Operations Centre (SoC) but without the expense and complexity of running one in-house. It’s like having on hand a center of excellence that pools expertise and experience under one roof, equipped with the latest detection systems. However, the benefit of MSSP MDR isn’t simply about managing ongoing threats. When enterprises assess the state of their current network at the beginning of the contract, they often discover it has more vulnerabilities and embedded malware than they imagined. This is the sort of detection task that requires the sort of expert advice which can be provided by an MSSP offering MDR.